- From: Steven Lambert <notifications@github.com>
- Date: Fri, 19 Feb 2016 16:09:06 -0800
- To: whatwg/dom <dom@noreply.github.com>
Received on Saturday, 20 February 2016 00:09:57 UTC
Alright, here is the initial draft of the `html` tagged template https://github.com/straker/html-tagged-template. I combined the best principles of E4H and contextual auto escaping to prevent XSS attacks, and it turned out pretty well if I do say so myself. What I would love now is help from security experts, like Mike Samuels who wrote about contextual auto escaping, to further the XSS prevention since I don't have a lot of experience in that area. Also, I'm not sure the best way to allow HTML variable substitution to be marked as safe so it isn't escaped when added to the DOM. (As a side note, currently the coverage stats should be 98% but something in our Travis config isn't pushing the results to Coveralls correctly.) --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/150#issuecomment-186461980
Received on Saturday, 20 February 2016 00:09:57 UTC